Category Archives: Tip

Box Direct Linking

According to Box Help, direct linking to files is only supported for paid accounts; however, I found that it is possible to link directly to a file with a free account. Just create your own direct URL using the following format https://app.box.com/index.php?rm=box_download_shared_file&shared_name=<SHARE_NAME>&file_id=<FILE_ID>

<SHARE_NAME> is the random alphanumeric string that is part of a share link. For example https://app.box.com/s/sn5mfs7esv0w35ybeoa5. This standard share link takes you to a page where you can view an online preview of the file and click a download button to get the actual file.

<FILE_ID> is the numeric identifier for the file which appears at the end of the URL when editing the file. For example https://app.box.com/files/0/f/0/1/f_33678058764

The direct link for this example would be https://app.box.com/index.php?rm=box_download_shared_file&shared_name=sn5mfs7esv0w35ybeoa5&file_id=f_33678058764

Since this isn’t officially supported, Box may always update the service to prevent this.

Chrome Update Web Forgery

In viewing one of those "…you won’t believe what happens next…" sites, I ran across a pretty well formed fraudulent website attempting to get me to install malware/spyware. I’m used to most of these attempts sounding very alarmist as they try to get me to download and install something.

Chrome-Forgery

Other than the Chrome logo and the URL, this is a well formatted and convincing page. It’s even accurate. I was using Chrome 35 on Windows.

Looing at the source:
Chrome-Fogery-DL
The "Accept and Install" button would have downloaded "Chrome_Setup.exe". Unfortunately I don’t have a system I want to risk installing this on to see what it actually is.

Bypassing Basic Download Filters

The other day, I was trying to update the driver for my EVGA GeForce GTX460 Video Card, but the download kept stopping at 180MB out of 271MB. After re-starting the download a few times, realized that my ISP or firewall was flagging something malicious and interrupting the download. I figured I had 4 options:

  1. Download the driver on my server, and then download it to my PC using SFTP.
  2. Download it over a VPN. Being limited to 300kb/s bandwidth on the free ProXPN VPN didn’t seem like a good option either.
  3. Download it over public Wi-Fi. Just annoying.
  4. Download it over https.

Assuming it worked, I figured option 4 would be the easiest. The default download link too me to http://us.download.nvidia.com/Windows.... By changing the link to https://us.download.nvidia.com/Windows..., I received a certificate mismatch message, but the download worked when I overrode the warning. A closer look at the warning, shows the https certificate is for the domain name a248.e.akamai.net. This seems safe to me, since Akamai is a CDN, so it makes sense that NVIDIA could be using Akamai to distribute their drivers. I would be more cautious if the certificate was not issued to a CDN or NVIDIA itself. Remember to check that the installer was signed by the appropriate company (NVIDIA in this case).
Cert Error

I haven’t tried this on other downloads, but I think it should work on a fair percentage of them.

OptionsHouse Secure PINs

OptionsHouse offers two-factor authentication with a Google compatible authenticator and an additional PIN to make security related account changes. This seems to be pretty good security, but if you have multiple accounts, you have to enable the security PIN separately for each account. If you don’t you can get to your two-factor authentication settings from the account(s) without a security PIN, even though the two-factor authentication settings are global.

My Heartbleed Recommendations

There are plenty of good resources (and a lot of not so good resources) with information and recommendations regarding the Heartbleed Bug, CVE-2014-0160. My top resource:

If you use LastPass to store your passwords, you can use the LastPass Security Challenge to have LastPass check all of your stored passwords.

LastPass’ checker provides a nice Assessment that tells you whether to chance you password now or to wait.

Once you’ve determined which sites need to update your password, make sure you do the following:

  • Change your password
  • Because Session Cookies may have been compromised – Sign out all sessions. Some examples:
    • In Gmail, scroll to the bottom of you mail window, click ‘details’ in the bottom right, and click the ‘Sign out all other sessions’ button
    • In Facebook click the downward pointing triangle, click ‘Settings’, click ‘Security’ in the left sidebar, click ‘Where You’re Logged In’, and click ‘End All Activity’
  • Remember to change your app specific passwords. While these usually have restricted access to your accounts, these passwords would have been vulnerable to compromise too. Some examples:
    • For Google, go to Account Security Settings, click ‘App Password Settings’, revoke all of your existing App Specific passwords, create new application-specific passwords.
    • For Yahoo!, go to your account settings, click ‘Manage your app passwords’, click ‘Remove All’, and regenerate passwords.

Edit 4/16/14: Removed references to the CNET affected sites list, because it seems to contain false positives. Added a link to The Register’s technical explanation of the bug.